400 likes | 639 Views
FreeRADIUS c onfigura tion. Marko Stojakovic , AMRES NA3 T4 , Belgrade , 12.09.2011. Content s. Introduction FreeRADIUS platform FreeRADIUS server installation Authentication configuration Accounting configuration Logging configuration New attributes – CUI and ON. Introduction .
E N D
FreeRADIUS configuration Marko Stojakovic, AMRES NA3 T4, Belgrade, 12.09.2011
Contents • Introduction • FreeRADIUS platform • FreeRADIUS server installation • Authentication configuration • Accounting configuration • Logging configuration • New attributes – CUI and ON
Introduction • RADIUS – Remote Authentication Dial In User Service • Networking protocol which provides centralized AAA service • “Who are you?”(Authentication) • “What services am I allowed to give you?”(Autorization) • “What did you do with my services while you were using them?” (Accounting)
FreeRADIUS platform (1) • www.freeradius.org • Open-source project • Current version is 2.1.11 • Supported OSs: • Linux (CentOS, Debian, Mandriva, Red Hat, SUSE, Ubuntu) • FreeBSD • Solaris • OpenBSD..
FreeRADIUS installation (1) • Before FreeRADIUS installation: • Make sure your system has gcc, glibc, binutils, and gmake installed before trying to compile • Other dependencies (based on modules that you need): • Openssl, openssl-devel – needed for FR EAP module to work • LDAP (if you have LDAP database) • MySQL
FreeRADIUS installation (2) • Installation (with output redirection): ./configure -flags > text.file make make install (root privileges) • You can use –flags to customize the settings (use --help to see all available flags)
FreeRADIUS installation (3) configure --with-openssl .... > config.txt [root@radius freeradius-server-2.1.11]# ./configure --with-openssl > config.txt configure: WARNING: snmpget not found - Simultaneous-Use and checkrad.pl may not work configure: WARNING: snmpwalk not found - Simultaneous-Use and checkrad.pl may not work configure: WARNING: pcap library not found, silently disabling the RADIUS sniffer. configure: WARNING: silently not building rlm_counter. configure: WARNING: FAILURE: rlm_counter requires: libgdbm. configure: WARNING: FAILURE: rlm_dbm requires: (ndbm.h or gdbm/ndbm.h or gdbm-ndbm.h) (libndbm or libgdbm or libgdbm_compat). configure: WARNING: silently not building rlm_dbm. configure: WARNING: the TNCS library isn't found! configure: WARNING: silently not building rlm_eap_tnc. configure: WARNING: FAILURE: rlm_eap_tnc requires: -lTNCS. configure: WARNING: silently not building rlm_eap_ikev2. configure: WARNING: FAILURE: rlm_eap_ikev2 requires: libeap-ikev2 EAPIKEv2/connector.h. configure: WARNING: silently not building rlm_ippool. configure: WARNING: FAILURE: rlm_ippool requires: libgdbm. configure: WARNING: silently not building rlm_pam. configure: WARNING: FAILURE: rlm_pam requires: libpam. configure: WARNING: silently not building rlm_python. configure: WARNING: FAILURE: rlm_python requires: Python.h. configure: WARNING: silently not building rlm_sql_iodbc. configure: WARNING: FAILURE: rlm_sql_iodbc requires: libiodb.
FreeRADIUS installation (5) • raddb - FreeRADIUS folder • Check if the radius deamon will start (with default configuration) • Starting the server in debugging mode: radiusd -X
FreeRADIUS authentication configuration • Which EAP type to deploy • EAP type configuration • Virtual server configuration • NAS client parameter configuration • Connecting FreeRADIUS with user database • Processing of Auth requests
Which EAP type to deploy (1) • Supported EAP authentication types (by FreeRADIUS): • EAP-TLS • EAP-TTLS • PEAP • EAP-GTC • LEAP • EAP-MD5
Which EAP type to deploy (2) • If your ID management infrastructuresupports X.509 client certificates – then you can useEAP-TLS • If your ID management infrastructure uses username/password: • Passwords in clear-text or as NT-hash? – EAP-TTLS, PEAP • If the passwords are in any other format - then you can use only EAP-TTLS
EAP type configurationraddb/eap.conf eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = whatever private_key_file=${certdir}/private.key certificate_file =${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = /dev/urandom fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" } ttls { default_eap_type = pap copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } mschapv2 { } }
Virtual server creation (1) • Twovirtual servers • First one processes requests before the EAP tunnel is established (“outer-tunnel”) • Second one processes requests inside the EAP tunnel (“inner-tunnel”) • Location: • raddb/sites-available/outer-tunnel • raddb/sites-available/inner-tunnel • Soft link for virtual servers: • raddb/sites-enabled/
Virtual server creation (2)raddb/sites-available/outer-tunnel server outer-tunnel { authorize { preprocess chap mschap digest suffix eap files expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } digest unix eap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp exec attr_filter.accounting_response } session { radutmp } post-auth { reply_log exec Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } }
Virtual server creation (3)raddb/sites-available/inner-tunnel server inner-tunnel { authorize { suffix update control { Proxy-To-Realm := LOCAL } eap files expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap } session { radutmp } post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap }
Client parameter configurationraddb/clients.conf client AP-library { ipaddr = 192.168.1.25 secret = mYs3cr3t shortname = AP1 nastype = other virtual_server = outer-tunnel } client radius2 { ipaddr = 192.168.6.34 secret = uRs3cr3t shortname = radius2 nastype = other virtual_server = outer-tunnel }
Connecting to user database (1) • User database: • LDAP – Lightweight Directory Access Protocol • Active Directory • FreeRADIUS users file • Additional configuration lines should be added to inner-tunnel • Configuration of additional modules depends of database type
Connecting to user database (2)- LDAP • LDAP configuration file /raddb/modules/ldap ldap { server = "localhost" identity = "uid=reader,ou=SystemAccounts,dc=bg,dc=ac,dc=rs" password = b1g$3cr3t basedn = "ou=People,dc=bg,dc=ac,dc=rs“ ... • Mapping between RADIUS and LDAP attributes is configured in/raddb/ldap.attrmap checkItem SMB-Account-CTRL-TEXT acctFlags checkItem Expiration radiusExpiration checkItem NAS-IP-Address radiusNASIpAddress checkItem Cleartext-Password userPassword checkItem User-Name uid #checkItem Pool-Name ismemberof
Connecting to user database (3)- LDAP – inner-tunnel authorize { suffix update control { Proxy-To-Realm := LOCAL } eap files ldap expiration logintime pap } authenticate { Auth-Type PAP { pap }
Connecting to user database (4)- Active Directory • Kerberos • Samba ntlm_auth --request-nt-key --domain=MYDOMAIN --username=user --password=pass • Configuration of/raddb/modules/ntlm_auth file exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=Domain --username=%{Stripped-User-Name} -password=%{User-Password}" }
Connecting to user database (5)- Active Directory – inner-tunnel authorize { suffix update control { Proxy-To-Realm := LOCAL Auth-Type := ntlm_auth } eap files ntlm_auth expiration logintime pap } authenticate { Auth-Type ntlm_auth { ntlm_auth }
Connecting to user database (6)- FR users file john Cleartext-Password:= “J0#n46!“ • Manipulation with authentication requests • Adding configuration parametar files to inner-tunnel: server inner-tunnel { authorize { auth_log eap files mschap pap }
Processing of Auth requests • Do we want to process the requests only localy or some authentication requests requires proxying to another server? • IdP or IdP+RP (eduroam)? • Relevant configuration file is raddb/proxy.conf
Processing of Auth requestsproxy.conf – Local proxy server { default_fallback = no } home_server localhost { type = auth+acct ipaddr = 127.0.0.1 port = 1812 secret = testing123 response_window = 20 zombie_period = 40 revive_interval = 120 status_check = status-server check_interval = 30 num_answers_to_alive = 3 } realm inst-domain { authhost = LOCAL accthost = LOCAL User-Name = "%{Stripped-User-Name}" } realm LOCAL { } realm NULL { }
Processing of Auth requestsproxy.conf – Local + Proxy home_server radius2 { type = auth+acct ipaddr = 192.168.14.15 port = 1812 secret = r@diu$ response_window = 20 zombie_period = 40 revive_interval = 120 status_check = status-server check_interval = 30 num_answers_to_alive = 3 } home_server_pool radius2 { home_server = radius2 } realm DEFAULT { pool = radius2 nostrip } proxy server { default_fallback = no } home_server localhost { type = auth+acct ipaddr = 127.0.0.1 port = 1812 secret = testing123 response_window = 20 zombie_period = 40 revive_interval = 120 status_check = status-server check_interval = 30 num_answers_to_alive = 3 } realm inst-domain { authhost = LOCAL accthost = LOCAL User-Name = "%{Stripped-User-Name}" } realm LOCAL { } realm NULL { }
RADIUS Accounting configuration (1) • Depends of whether the devices that you use as NAS supports RADIUS Acct (Cisco, Lancom) • MySQL configuration: • Create a table (table examples can be found in raddb/sql/mysql/) • Create a user with write priviledges • FreeRADIUS configuration: • Create accounting queries in something.confinraddb/sql/mysql/ • Edit raddb/sql.conf
RADIUS Accounting configuration (2)raddb/sql.conf sqlws-test { database = "mysql" driver = "rlm_sql_${database}" server = “192.168.14.23" login = “jupiter" password = “s@turn" radius_db = "radius" acct_table1 = “table1" acct_table2 = “table1" postauth_table = "radpostauth" authcheck_table = "radcheck" authreply_table = "radreply" groupcheck_table = "radgroupcheck" groupreply_table = "radgroupreply" usergroup_table = "radusergroup" deletestalesessions = yes sqltrace = yes sqltracefile = ${logdir}/sqltrace.sql num_sql_socks = 5 connect_failure_retry_delay = 60 nas_table = "nas" $INCLUDE sql/${database}/something.conf }
RADIUS Accounting configuration (3)raddb/sites-available/outer-tunnel ... preacct { preprocess acct_unique suffix files } accounting { ws-test detail unix radutmp exec attr_filter.accounting_response } session { radutmp } ...
FreeRADIUS logs- Syslog • The file location var/log/radius/radius.log Fri Sep 9 12:07:34 2011 : Auth: Login OK: [anoymous@rcub.bg.ac.rs] (from client cisco5508-L port 1 cli 04-18-0f-d6-50-13) • Configure raddb/radiusd.conf .... log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } ...
FreeRADIUS logsAuth messages logging • In communication with one client we can log (inside and outside the tunnel) : • Authentication requests • Reply messages • Pre proxy messages • Post proxy messages • Containing folder, by default: var/log/radius/radacct/client-ip-address/logmessagetype-date
FreeRADIUS logsAuth messages logging - example • var/log/radius/radacct/147.91.6.201/auth-detail-20110809 • Thu Sep 8 12:06:09 2011 • Packet-Type = Access-Request • User-Name = "anonymous@rcub.bg.ac.rs" • Calling-Station-Id = "00-1c-26-60-27-69" • Called-Station-Id = "18-ef-63-fc-d7-c0:eduroam" • NAS-Port = 1 • NAS-IP-Address = 147.91.6.201 • NAS-Identifier = "cisco5508-L" • Airespace-Wlan-Id = 1 • Service-Type = Framed-User • Framed-MTU = 1300 • NAS-Port-Type = Wireless-802.11 • Tunnel-Type:0 = VLAN • Tunnel-Medium-Type:0 = IEEE-802 • Tunnel-Private-Group-Id:0 = "300" • EAP-Message = 0x020600061500 • State = 0x4c78ac7b4f7eb9522dd950731fb7c846 • Message-Authenticator = 0x2121578d2198dc33a29bff1fdf092c4a • Thu Sep 8 12:06:10 2011 • Packet-Type = Access-Request • User-Name = "markos@rcub.bg.ac.rs" • FreeRADIUS-Proxied-To = 127.0.0.1 • Calling-Station-Id = "00-1c-26-60-27-69" • Called-Station-Id = "18-ef-63-fc-d7-c0:eduroam" • NAS-Port = 1 • NAS-IP-Address = 147.91.6.201 • NAS-Identifier = "cisco5508-L" • Airespace-Wlan-Id = 1 • Service-Type = Framed-User • Framed-MTU = 1300 • NAS-Port-Type = Wireless-802.11 • Tunnel-Type:0 = VLAN • Tunnel-Medium-Type:0 = IEEE-802 • Tunnel-Private-Group-Id:0 = "300"
FreeRADIUS logsAuth messages logging server outer-tunnel { authorize { auth_log preprocess chap mschap digest suffix eap files expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } digest unix eap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp exec attr_filter.accounting_response } session { radutmp } post-auth { reply_log exec Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { pre_proxy_log } post-proxy { post_proxy_log eap } }
FreeRADIUS logsAuth messages logging server inner-tunnel { authorize { auth_log suffix update control { Proxy-To-Realm := LOCAL } eap files expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap } session { radutmp } post-auth { reply_log Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { pre_proxy_log } post-proxy { post_proxy_log eap }
New attributes - CUI and ON • eduroam has a problem with logging of users from other realms – if some visitor makes an incident, the resource provider can only block the entire visitor’s realm • Solution: CUI – Chargeable User Identity and ON (Operator Name)
New attributes - CUI and ON • Inside the Access-Request, resource provider sends the empty CUI attribute along with ON (Operator Name) attribute • Based on User Name and Operator Name, the identity provider creates random value (CUI) and returns it to the RP • This number presents the unique identifier for every visiting user
New attributes - CUI and ONconfiguration • Configuration – raddb/policy.conf(FR version 2.1.11) defines • cui_postauth (for IdP) • cui_pre_proxy (for RP) • cui_updatedb (for RP) • cui_accounting (for RP)
The end • questions?